October Newsletter: New security flaw leads to Shellshock
October 29, 2014
Manhattan Tech Support
| New security flaw leads to Shellshock |
In late spring of this year, news broke of the biggest security issue to date – Heartbleed. Many companies leaped to secure themselves from this, but the fallout from it is still being felt. That being said, there is a new, even bigger, security problem called Shellshock that all businesses need to now be aware of.
What exactly is Shellshock?Shellshock is the name applied to a recently uncovered software vulnerability which could be exploited to hack and compromise untold millions of servers and machines around the world. At its heart, the Shellshock vulnerability is based on a program called Bash. This is a Unix-based command program that allows users to type actions that the computer will then execute. It can also read files called scripts that contain detailed instructions. Bash is run in a text-based window called a shell and is the main command program used by OS X and Unix. If you have a Mac computer and want to see what Bash looks like, simply hit Command (Apple Key) + Spacebar and type in Terminal. In the text-based window that opens in Bash, you can enter commands using the Bash language to get your computer to do something e.g., eject a disc, connect to a server, move a file, etc. The problem with Bash however is that it was recently discovered that by entering a specific line of code ‘() { :; };)‘ in a command, you could get a system to run any following commands. In other words, when this command is used, Bash will continue to read and execute commands that come after it. This, in turn, could lead to a hacker being able to gain full, yet unauthorized, access to systems without having to enter a password. If this happens, there is very little you can do about it. Why is this such a big issue?To be clear: Shellshock should not directly affect most Windows-based machines, instead, it affects machines that use Unix and Unix-based operating systems (including OS X). So why is this so big a deal when the majority of the world uses Windows-based computers? In truth, the majority of end-users will be safe from this exploit. However, the problem lies with bigger machines like Web servers and other devices such as networking devices, and computers that have had a Bash command shell installed. While most users have Windows-based computers, the servers that support a vast percentage of the Internet and many business systems run Unix. Combine this with the fact that many other devices like home routers, security cameras, Point of Sale systems, etc. run Unix and this is becoming a big deal. As we stated above, hackers can gain access to systems using Bash. If for example this system happens to be a Web server where important user information is stored, and the hacker is able to use Bash to gain access and then escalate themselves to administrative status, they could steal everything. In turn, this could lead to the information being released on to the Web for other hackers to purchase and subsequently use to launch other attacks – even Windows-based systems. Essentially, there are a nearly unlimited number of things a hacker can do once they have access. If this is not dealt with, or taken seriously, we could see not only increased data breaches but also larger scale breaches. We could also see an increase in website crashes, unavailability, etc. So what should we do?Because Shellshock mainly affects back-end systems, there is little the majority of users can do at this time. That being said, there are many Wi-Fi routers and networks out there that do use Unix. Someone with a bit of know-how can gain access to these and execute attacks when an individual with a system using Bash tries to connect to Wi-Fi. So, it is a good idea to refrain from connecting to unsecured networks. Also, if you haven’t installed a Bash command line on your Windows-based machine your systems will probably be safe from this particular exploit. If you do have servers in your business, however, or networking devices, it is worthwhile contacting us right away. The developers of Bash have released a partial fix for this problem and we can help upgrade your systems to ensure the patch has been installed properly. This exploit, while easy to execute, will be incredibly difficult to protect systems from. That’s why working with an IT partner like us can really help. Not only do we keep systems up-to-date and secure, but we can also ensure that they will not be affected by issues like this. Contact us today to learn how we can help. |
| ERP and HR modules |
| As a business owner, there are many different keys to success, one of the most important being your staff. If you take care of your employees, there is a good chance that your business will not only be successful but will hopefully also operate with healthy margins. What is sometimes a challenge though is actually managing employees and dealing with all the related information. An Enterprise Resource Planning solution, more specifically a Human Resources module, can be an effective tool that allows you to better manage your employees. |
| Overview of mobile payment systems |
| Businesses, like restaurants, boutique fashion stores, and even some delivery operations have flocked to mobile payment systems largely because you don’t have to invest in expensive Point of Sale equipment and can instead run it all from a device like an iPad. With the recent new mobile payment announcements and continued enhancements, it is highly likely that mobile payment solutions will see explosive growth in businesses the world over. |
| Office 2013 and 365: The difference |
| Microsoft Office is one of the most popular and most installed, software suites in the world. For those looking to integrate it into their office, there are essentially two ways you can do so: Purchase Microsoft Office 2013, or Office 365. While you get Office with both of these options, there is confusion as to what the difference is between the two. |
| All about lists in Google Docs |
| Google Apps users who have integrated the solution into their office are probably using apps like Docs to produce the majority of their official documents. Because of this, there is a good chance that some of the docs include bulleted or numbered lists. As a Google Docs user, do you know how to add these and modify them? Did you also know that Google has implemented a new way that lists are created? |
Blog
Service Sheets
Infographics
eBooks
